QuartzMarkLetters

Privacy Policy

Last updated: 2026-05-19 · DRAFT

1. Who we are

QuartzMark (the "Company") operates QuartzMark Letters at letters.quartzmark.com. The Company is a sole-proprietorship registered in Japan. Contact: support@quartzmark.com.

2. What we collect

  • Account data: name, email, billing details (via Stripe).
  • Voice profile data: past article text you provide for AI training. Stored ephemerally during voice profile creation, then deleted after the profile is created.
  • OAuth tokens: encrypted credentials to publish on your connected platforms (Substack, Beehiiv, X, etc.). Stored using Supabase Vault encryption.
  • Generated content: drafts and published outputs are retained for analytics during your subscription.
  • Usage data: API call counts, generation history, sign-in events.

3. How we use your data

  • To provide the Service (generate, publish, analyze content)
  • To bill you and prevent fraud
  • To improve quality and detect abuse
  • To respond to your support requests

We do not sell your data to third parties.

4. Subprocessors

  • Anthropic: AI text generation. Data submitted is governed by Anthropic's API privacy terms (zero data retention available).
  • Supabase: database hosting (EU/US regions).
  • Vercel: application hosting (US).
  • Stripe: payments (US).
  • Resend: transactional email (US).
  • Cloudflare: CDN, DNS, email routing.

5. Your rights (GDPR / CCPA)

If you are in the EU/UK or California, you have rights to access, correct, delete, port, and restrict processing of your personal data. Email support@quartzmark.com to exercise these rights. We respond within 30 days.

6. Data retention

Account data is retained while your subscription is active and for up to 90 days after cancellation. Voice profile training data (raw past articles) is deleted within 24 hours of profile creation. Generated content is retained for the duration of your subscription.

7. Security

We use industry-standard encryption (TLS in transit, AES-256 at rest where applicable). OAuth tokens are encrypted with Supabase Vault. We perform routine dependency vulnerability scans and incident response.

8. Children

The Service is not directed to children under 16. We do not knowingly collect data from them.

9. International transfers

Your data may be transferred to and processed in the US and other countries where our subprocessors operate. We use Standard Contractual Clauses where required.

10. Changes

We may update this Policy. Material changes will be communicated via email at least 30 days in advance.

⚠️ This document is a DRAFT generated by AI. It has not been reviewed by a qualified attorney. Do not rely on it for legal purposes until reviewed.